Hi, > I had a look at the files and found that the key required to verify the > signature is not contained in the KEYS file in the tar ball.
AFAIK having the KEY file in the tar ball is not really helpful at all as it could be modified and republished. The KEY file needs to be stored alongside the release [1], hashes and KEYS are hashes not propagated on the mirror system. [2] Thanks, Justin 1. https://www.apache.org/dev/release-signing.html#keys-policy 2. http://www.apache.org/dev/release-publishing.html#distribution_dist --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
